Regulatory Insights

Operational Resilience. What does it mean?

September 7, 2020 by Clare Curtis

Operational Resilience is the embedding of capabilities and processes, behaviours and systems which allows an organisation to continue to carry out its business in the face of disruption regardless of the source. Operational resilience is therefore an outcome which requires organisations to be forward looking and making decisions today that help prevent harm tomorrow. Even before COVID-19 the UK FCA were focusing on how operationally resilient regulated firms really were and looking back on their words the irony cannot be lost. As Megan Butler Executive Director of Supervision stated back in December 2019 “We will not accept operational failures that – but for a lack of sufficient contingency planning – see consumers stuck on the phone for hours trying to speak to their bank, unable to complete a house sale or purchase or facing uncertainty over whether they will be able to pay their rent on time because they cannot transfer their money.” How the FCA will view banks ability to respond to the pandemic is yet to be seen.

With greater regulatory pressures, complex IT systems, increased challenges to data security and stability of the economic environment organisations must become more agile, more operationally resilient, in a manner that provides more flexibility in how they respond to systemic threats, changing marketplaces and customer demands. In order to demonstrate operational resilience organisations need to look at their overall framework and eliminate silo’s and below sets out 10 points to consider when reviewing your framework:

Leadership: This is the culture of the firm where leaders are able to adapt to changing circumstances and are able to demonstrate resilient attributes. During the COVID pandemic some leaders have stepped up and taken difficult decisions or have looked for opportunities whereas others have been lost in this new environment.

Crisis Management: At a strategic level organisations must be able to communicate clear strategies and key messages to various audiences and key stakeholders. Lack of communication can lead to employees being disconnected.

Organisational Culture: Attributes of a resilient organisation include effective culture, coordination of risk management activities, sharing of information and knowledge, resource availability and ability to anticipate and manage change. How well has your organization managed to keep a good culture and engaged employees even when on a remote basis?

Risk Management The identification, assessment and prioritisation of risks followed by coordination of resources to minimise, monitor and control the probability and/or impact of an incident or to maximise the realisation of opportunities. The objective is to ensure uncertainty does not negatively impact strategic objectives of the organization which links heavily with the culture of your organization and your ability of your leader to manage a crisis.

Governance, Audit & Compliance: Ensuring best practices are fully understood and documented so that during a disruptive period those within the organization continue to understand their obligations. Training of employees and the ethics within the organization to ensure individuals continue to comply with relevant requirements and ensuring systems continue to enable effective oversight. It is also key to continue to audit your firm as you would under normal operational circumstances.

Environment: When establishing your operational environment including management, governance and data such as communication networks and data storage did your organization take in to account potential disruption and how these systems would continue to be effective? This process would also incorporate facility management, safety and security capabilities.

Business Continuity: Business continuity refers to the identification of threats, vulnerabilities and risks that can potentially affect normal business operations and provide a framework that entails plans mitigated towards the resumption of business operations. This is part of being operationally resilient which refers to the capacity of an organization to adapt to events and function optimally during external or internal threat or change. Organisations in the past have focused on BCP which are usually comprehensive but now need to be expanded and outcome focused.

Information Security: The practice of defending information from unauthorised access, use, disclosure, disruption, modification, recording or destruction. Both physical and electronic. During the time in which we have been working remotely the number of cyber attacks has increased dramatically how will your IT Security work in this type of environment?

Supply Chain Resilience The discipline of implementing supply chain continuity, managing supply chain risks and ensure supply chain security. Managing threats to your supply chain, from likelihood, globalisation, shrinking product cycles, market volatility and unpredictable market cycles. How well has your supply chain coped during this period of uncertainty are there any key third parties who are a key risk to your operational resilience?

Financial Health & Viability An organisation must be financially viable in changing conditions. Four main areas of financial health are liquidity, solvency, profitability and operating efficiency and these should be stress tested for different scenarios to ensure the ongoing viability of the business in uncertain circumstances.

How can Effecta help your organisation meet the regulatory expectations associated with operational resilience?

Effecta can help by

• identifying important business services and map successful delivery back to the key underlying resources,
• test their ability to withstand a severe event with reference to an impact tolerance, and
• identify resilience gaps – and make investment choices that increase your ability to provide important business services – even when severe disruptive events happen.